A new lattice-based password authenticated key exchange scheme with anonymity and reusable key

In this article, we propose a novel bilateral generalization inhomogenous short integer solution (BiGISIS)-based password-authenticated key exchange (PAKE) scheme for post-quantum era security. The hardness assumption of the constructed PAKE is based on newly proposed hard lattice problem, BiGISIS. The main aim of this article is to provide a solution for the post-quantum secure PAKE scheme, which is one of the open problems in the literature. The proposed PAKE is the first BiGISIS-based PAKE that satisfies anonymity and reusable key features. The bilateral-pasteurization (BiP) approach is used to obtain the reusable key, and anonymity is achieved thanks to the additional identity components and hash functions. The reusable key structure reduces the time in the key generation, and anonymity prevents illegal user login attempts. The security analysis is done by following the real-or-random (RoR) model assumptions. As a result of security examinations, perfect forward secrecy (PFS) and integrity are satisfied, and the resistance against eavesdropping, manipulation-based attack (MBA), hash function simulation, impersonation, signal leakage attack (SLA), man-in-the-middle (MitM), known-key security (KKS), and offline password dictionary attack (PDA) is captured. According to the comparison analysis, the proposed PAKE is the first SLA-resistant lattice-based PAKE with reusable key and anonymity properties.


INTRODUCTION
The wireless communication technologies that provide practical and easy usage have enabled the widespread use of mobile devices.The increasing number of users and the openness of communication have brought these devices against various threats in terms of security.These attacks may disrupt network operations and adversely affect the system resources.The lack of security features such as authentication and anonymity will cause information leakage and unauthorized access (Dabra, Bala & Kumari, 2020).With authenticated key exchange (AKE) schemes that provide anonymity, the user is authorized to access mobile devices anonymously.Hence, he/she can securely log in to the server over an insecure channel by protecting the privacy of his/her identity.An adversary two-factor authentication with reusable key.The main hardness of the proposed PAKE was based on the RLWE problem and used fuzzy-verifier + honeywords approach (Wang & Wang, 2016) to provide resistance against two-factor-based attacks.The resistance against smard-card-based attacks were analyzed with formal security analysis under the ROM assumptions.

Motivation and contribution
PAKE schemes that meet the authentication requirements for key-sharing techniques by utilizing passwords are used in different areas.Thanks to these schemes, high-entropy shared session keys are obtained by using low-entropy and easy-to-remember passwords.With the PQC concept, the need for quantum secure PAKE schemes for different applications has arisen (Ott, Peikert et al., 2019;Hao, 2021).According to the current literature, two main properties, anonymity, and reusable key, are captured with PAKE schemes.The anonymity that gives user privacy and the reusable key features that efficiently use system resources are essential to propose solutions for these requirements.The number of schemes that provide these features is also quite limited.We sought an answer to how to design a PAKE protocol with appropriate processing steps for post-quantum security of mobile devices with additional features.Then, we constructed a four-phase BiGISIS.PAKE scheme, whose security is based on the assumptions of BiGISIS.The main contributions of the proposed BiGISIS.PAKE to the literature is highlighted as follows.
• The first BiGISIS-based PAKE scheme, which provides anonymity and reusable key features, is proposed for post-quantum security of mobile devices.
• The BiP approach is used to reduce the time spent on key generation by obtaining a reusable key.Unlike the methods in the literature, the reusable key feature does not cause SLA thanks to the part selection-based reconciliation method, the most significant bit (MSB).
• Anonymity is achieved to prevent illegal user login attempts by using pseudo-identity components and additional hash functions.
• The security analysis is presented by following the RoR model assumptions.As a result of security analysis, PFS and integrity are satisfied, and the resistance against eavesdropping, hash function simulation, manipulation, impersonation, MitM, KKS, and offline PDA are captured.
• To the best of our knowledge, it is the first SLA-resistant lattice-based PAKE scheme that provides anonymity and reusable key.

Organization
The rest of this manuscript is organized as follows.In 'Preliminaries', the notation and the mathematical background are given.In 'Proposed PAKE', each phase of the proposed scheme is explained step-by-step.Parameter selection constraints, basic computations, and protocol flow are explained in detail.In addition, the verification is done by examining basic assumptions and key parameters.In 'Security Analysis', the semantic security and attack resistances are discussed.The comparison with similar four-phase lattice-based PAKE schemes is given in 'Comparison'.Finally, the conclusion is discussed in 'Conclusion'.

PRELIMINARIES
The symbols used in this article are listed as follows.
• a T : The transpose of the vector a.
• X ← r χ : X is randomly chosen from χ .
• pw a ,id a : The password and the ID value of a, respectively.
The post-quantum security of the proposed PAKE is captured by following the hardness assumption of the BiGISIS problem.The main properties of this problem are recalled with Definition 1. Definition 1 (BiGISIS Problem; Jing et al., 2019): Let x 1 = As 1 + e 1 mod q and x T 2 = s T 2 A + e T 2 mod q is computed by using A ∈ m×m q , {s 1 ,s T 2 }← r χ , and {e 1 ,e T 2 }← r χ .The main purpose of the BiGISIS problem is to obtain the secret keys s 1 and s T 2 , given the public keys x 1 and x T 2 .The hardness of the BIGISIS problem is explained by the decisional version of the BiGISIS (DBiGISIS) problem.Let {A,x 1 ,x T 2 } be given.The DBiGISIS is a problem of deciding whether {x 1 ,x T 2 } belong to the uniformly random distribution ( Jing et al., 2019).The hardness of the DBiGISIS problem was explained by using the M-LWE problem.Conclusion 1 Assume that the hardness assumption of the DBiGISIS problem given by Lemma 1 is satisfied.Then, the hardness of the DBiGISIS problem is equivalent to the hardness of the decisional-M-LWE problem (Jing et al., 2019).Langlois & Stehlé (2015), it was shown that there is no polynomial time algorithm to solve the decisional-M-LWE problem, even if in the presence of quantum computers.Based on these proofs, there is also no PPA to solve the DBiGISIS problem since there is a reduction between decisional-M-LWE.So, if a scheme is built based on the BiGISIS hardness assumption, it will be secure unless an algorithm can also solve the MLWE problem.

Remark 1 In
The MSB function was naturally used to agree on the shared key in the BiGISIS-based KE schemes due to the bilateral structure of distribution.In the proposed PAKE, the MSB function is chosen as a reconciliation mechanism to solve the problem of not being able to generate shared keys directly.The explanation of MSB is recalled in Definition 2. Definition 2 (MSB Function): Let x ∈ Z q be input.There are two possible outputs for y = MSB(x).If q 4 < |x| < q 2 then y = 1, otherwise y = 0.In the proposed PAKE, cyber attackers cannot extract the actual identity or monitor any user's action through the compromised information since it provides anonymity property.The definition of anonymity is remembered in Definition 3. Definition 3 (Anonymity): Anonymity means that the identity of one party is kept confidential even from the other party with whom it is communicating.It seems like an antiauthentication feature as one party wants no one to be able to identify it to protect its privacy.Although anonymity and authentication are two opposite features in practice, the user who wants to remain anonymous also wants to be sure of the other party's identity (Feng et al., 2018).Cyber attackers cannot use or track the user's identity thanks to the anonymity feature.So, an anonymous PAKE allows legitimate users to log into the server over an unsecured network without compromising their identity.Anonymous authentication has been one of the features evaluated in the PAKE protocol design, as personal security will be protected in online interactions (Goldberg, Stebila & Ustaoglu, 2013).To achieve anonymity in the PAKE scheme design, the user's identity is stored anonymously with so-called additional components and some operations.
As an additional property, the proposed PAKE satisfies the reusable key to obtain run-time efficiency.The definition of the reusable key is given in Definition 4. Definition 4 (Reusable Key): In KE schemes, it is desired that the public key be reusable to reduce the time in the key generation and storage costs.Different techniques have been proposed to provide the reusable key feature for lattice-based key-sharing schemes (Akleylek & Seyhan, 2020;Seyhan et al., 2021;Zhang et al., 2015;Ding, Branco & Schmitt, 2019;Gao et al., 2018;Ding et al., 2018).The reusable key feature can make the constructed protocols vulnerable to SLA (Bindel, Stebila & Veitch, 2021).An SLA can occur with the reuse of the keys in protocols that use an additional information-based reconciliation mechanism since the shared key and additional information can leak information about the secret key (Qin et al., 2022).
In the literature, the reusable key in lattice-based PAKE schemes was captured with (Ding et al., 2018) and (Gao et al., 2018) methods.However, these techniques caused SLA since they were used with sending additional information-based reconciliation.The BiP method is included in the proposed PAKE to provide the reusable key feature.Definition 5 (BiP Method): Let A ∈ m×m q , g 2 ,g T 1 ← r χ, H 2 : {0,1} * → χ be a hash function, and {x 1 ,x T 2 } is generated by considering Definition 1.The BiP components is defined with { ← → and provide the reusable key feature due to the same distribution properties.There are two possible situations.
The PPA that can solve the BiGISIS problem in case 1 with the BiP method is unknown.In case 2, the components are close to the uniform distribution.The reusable keys are satisfied since any attacker (Ă) cannot obtain information about previous secret keys using these components.
Remark 2 Note that in order to provide the reusable key feature with the BiP method, a reconciliation structure that does not include sending additional information should be used.
The SLA-resistant reusable key feature is achieved since the MSB function, which provides reconciliation with the most significant region, is used in the proposed protocol.We refer to Akleylek & Seyhan (2020), Seyhan et al. (2021) to check the detailed proof that shows the reusable key power of the BiP method.
In the proposed PAKE, the CDF-Zipf (Wang et al., 2017) model is followed to characterize the password distribution in the security analysis.Definition 6 (CDF-Zipf Model): Let Correctpw be the event of adversary's guessing a correct password with the PDA, DS be the size of password dictionary, and n op be the maximum number of active password-guessing attempts before a corrupt query.The probability of event correctpw in the conventional approaches is Pr [Correctpw] = n op DS + negl(n).Since these methods underestimate the adversary's power in real-world applications, CDF-Zipf, which provides the characterized password distribution, is preferred to obtain a realistic examination of password guess.Let C ∈ [0.001,0.1]and f ∈ [0.15,0.30]be CDF constants that can be computed by linear regression.According to CDF-Zipf, the probability of Correctpw is determined by using Eq.(1).

PROPOSED PAKE
The proposed post-quantum secure two-party BiGISIS.PAKE scheme consists of four phases that ensure anonymity and reusable key features.The main hardness relies on the BiGISIS problem.During the setup phase, system parameters are generated.In the registration phase, registration is made for the interaction of the mobile user with the server.Due to the additional components used in login&password-based mutual authentication, reusable key, authentication, and anonymity features are provided.The possible need for the password update requirement is also defined.

Setup phase
ś performs the setup stage and generates the system parameters.• n is chosen to be the power of 2. The sensitivity of the application is also considered in the selection of n.Then, the module dimension m is chosen such that m ≥ 2.
• The odd prime number q is selected such that q mod 2n = 1.
• The common public key A← r m×m q is selected and the distribution χ is defined.
• ś generates the static public key , and H 2 : {0,1} * → χ are specified for the BiP, authentication check, and password-based shared key generation.

Registration phase
The mobile user registration is performed after the setup is completed.All messages are assumed to be transmitted over the secure channel at this stage.Due to the registration phase, user registration and the shared key agreement are achieved securely.The mobile user registration is completed by performing the enumerated steps in Fig. 1.Then, the login&password-based mutual authentication phase is started.In Fig. 1, the mobile user starts the registration by sending the client ID (id ḿ) to the server.In lines 3-5, the server makes some random selections (t ,s T * ś ) and computes the registration parameter (d * ḿ) to package the ID and secret key.In line 6, the server sends {t ,d * ḿ,pid ḿ} to the mobile user to generate registration parameter.In lines 7-9, the mobile user computes the registration parameter (d ḿ) and packaged password (PW ḿ = H 1 (v ḿ)).Finally, the mobile user and the server store {pid ḿ,d ḿ} and {pid ḿ,PW ḿ,s T * ś } in the databases, respectively.

Login&password-based mutual authentication phase
At this stage, an insecure version of the communication channel is considered.With password-based authentication, the shared key is generated.By using hash function H 0 and cid ḿ components, the anonymity feature is obtained.To get the reusable key feature, the BiP method, given in Definition 5, is used.The operations of this stage are detailed in Fig. 2.
Let's detail each party's computations by looking at them step-by-step according to Fig. 2. to the server.
• Lines 10-21 for Server: In line 10-11, the server decrypts the packaged mobile user public key (x * ḿ) with the help of the fetched password (PW ḿ) by using pid ḿ.In lines 13-14, the server generates its temporary public key (x T ś ).In lines 15-17, the server determines and computes BiP components to provide the reusable key feature.Based on these calculations, the server generates its key component (k ś ).Then, he/she uses MSB reconciliation to agree on the same shared key.Finally, the server sends its public key (x T ś ) and authentication component (α ś ) to the mobile user.• Lines 22-34 for Mobile User: In lines 22-24, the mobile user computes BiP-related components to ensure the reusable key feature with the computation of (

Seyhan and
After running the login&password-based mutual authentication phase, the mobile user and the server agree on a password-authenticated shared key.The final step, the password update phase, is optional and should be used when the parties need to update the password.

Password update phase
The password update step is performed when the user wants to update her/his password.It is assumed that all transmitted messages are sent over an secure channel.The password update stage is explained in Fig. 3.The step-by-step definition of Fig. 3 is summarized as follows.
• Lines 1-4 for mobile user: By using fetched {pid ḿ,d ḿ}, he/she determines the password component (v ḿ) to derive the main password (PW * ḿ) and sends it to server to check the password update requirement.
• Lines 5-8 for server: The server brings back the stored password (PW ḿ) by using pid ḿ.In line 6, if a match is achieved, the server sends a warning message and allows the mobile user to initiate the password update process.
• Lines 9-13 for mobile user: In lines 9-12, the password-related components (pw new ḿ , d new ḿ , PW new ḿ ) are re-generated and new password information (d new ḿ ) is stored in the database.Finally, the mobile user sends the updated password (PW new ḿ ) to the server.• Line 14 for server: The updated password is received from the mobile user and is stored in the server database.
The correctness analysis of the proposed PAKE is discussed in 'Correctness analysis'.

Correctness analysis
In the proposed BiGISIS.PAKE scheme, the necessary conditions to derive the shared key are computed based on the static and ephemeral key components.Due to the number of sub-components, the upper bound is determined by examining the static ones (k ś ,k ś ).By considering Fig. 2, if k ś and k ś ' are rewritten, Eq. ( 2) is obtained.
Since q = O(2 λ ϑβ) and s T ś As ḿ ≈ q, the probability of

Additional properties of proposed PAKE
With the proposal of BiGISIS.PAKE, it is aimed to obtain a post-quantum secure PAKE scheme with additional features, basically reusable key and anonymity.These properties are defined in Definitions 3-4.In the constructed scheme, anonymity is captured with the usage of an additional identity component and the one-way property of the hash function.The reusable key is provided by adding BiP components that allow storing the secret key in case the public key is reused.Let's show how these properties are satisfied with the proposed PAKE according to the login&password-based mutual authentication phase, given in Fig. 2.
• Anonymity: According to Definition 3, id ḿ value should not be obtained by the attacker (Ă) to ensure anonymity.In the proposed PAKE, with step 37, id ḿ = cid ḿ ⊕ H 0 (x ḿ,ψ ḿ,x T ś ,ψ ś ) is determined.Let's show that Ă cannot obtain all the components included in this calculation through possible attempts.Suppose that Ă captures {pid ḿ,x ḿ}, {x T ś ,α ś }, and {cid ḿ,α ḿ} with MitM attack.Ă obtains x T * ś = r T * ś A+f T * ś using the modified r T * ś ,f T * ś ← r χ .Also, by using Although Ă can get s T ś with Corrupt-ś(ś j ) query, defined in Section 'Security Analysis', the BiP method component r T ś is unknown.The only possible way to get r T ś is to solve the BiGISIS problem.It is known that even in the presence of quantum computers, r T ś cannot be obtained as a result of Lemma 1 and Conclusion 1. Overall, Ă cannot get id ḿ and anonymity is ensured.
• Reusable Key: In the proposed PAKE, the reusable key is provided with the help of BiP component, added in steps 17 and 24.According to Definition 5, the computed ḿ have same distribution properties with x ḿ and x T ś , respectively and hide the general properties of x ḿ and x T ś .So, even if an Ă gets sk ś ḿ = H 0 (id ḿ,cid ḿ,x ḿ,ψ ḿ,α ḿ,x T ś ,ψ ś ,α ś ) = sk ḿś , he/she cannot obtain any information about real/static secret keys when the session is run multiple times.So, the reusable key property is satisfied.
The detailed security analysis of the BiGISIS.PAKE is shown in 'Security Analysis'.

SECURITY ANALYSIS
The main hardness of the proposed scheme is based on the BiGISIS problem.Since an algorithm that can solve this problem in polynomial time is not known in quantum computers, it provides provable security.The detailed security analysis in RoR (Abdalla, Fouque & Pointcheval, 2005) shows that any PPA Ă can gain a negligible advantage over the scheme.In the RoR model, all standard send, execute, corrupt, reveal, and test queries are considered.Let U be the any party of the scheme.
• send (U ,i,M ): The message M is sent to the i-th instance U .According to the protocol flow, the instance generates the components and gives the outputs to Ă.
• execute ( ḿ,i,ś,j): The protocol is run between i-th instance ḿ and j-th instance ś.The output is the executed protocol transcript and is returned to Ă.
• corrupt (U ): The password of instance U is returned to Ă.
• reveal (U ,i): This query is made by Ă and obtains the session key of U .The shared key of the i-th instance of user U is sent to Ă as an output.This query is constructed with the requirement that a session key captured by Ă should not affect other sessions.
• test (U ,i): i-th instance U flips a bit b.If b = 1, the output is the authenticated shared key of i-th instance U .Otherwise, a uniformly random key is selected as an output.
It is also assumed that a completely random or real shared session key is obtained with an infinite number of test queries.Two additional queries in the Dabra, Bala & Kumari (2020) model are examined to prove that PFS is guaranteed in the proposed scheme.These are remembered as follows.
• Corruptḿ( ḿi ): The manipulation situation in which the user device is captured by A is examined.Performing Corrupt-ḿ( ḿi ) query assumes that Ă has captured all sensitive information stored on ḿ's mobile device.
• Corrupt-ś (ś j ): With this query, it is assumed that the static secret of ś and the secure database of ś are captured by Ă.
The provable security of a PAKE scheme is examined by dealing with semantic security.4) is satisfied, the proposed scheme is said to be semantically secure.
The semantic security of the BiGISIS.PAKE scheme is examined considering Theorem 1. Theorem 1 Let Ă be the PPA adversary attempting to generate the shared key during the login&password-based mutual authentication phase of the BiGISIS.PAKE scheme.The advantage of Ă (Adv) in breaking the scheme's semantic security by obtaining the shared key between ḿ-ś is given by Eq. ( 5).
Let S G i be the event of correctly guessing b in the test queries of Ă in every game G i .b is generated by flipping a coin before the game sequence.Then, it is stored in Ă for games containing test queries.
G 0 : The basic attack is modeled with this game.At the start of the game, Ă guesses the randomly generated b.By rewriting Eq. ( 4), Adv 2 is procured because the random bit is tried to be guessed.So, Adv G 0 Ă = 0. G 1 : In G 1 , the case of an eavesdropping attack on the communication channel of ḿś is modeled.Because of the eavesdropping in G 1 , Ă obtains the transmitted information in the scheme by making execute query.This value is used in test queries to determine whether the shared session key is real or random.Let's examine success of Ă in G 1 .
In Fig. 2, by eavesdropping, {x T ś ,α ś ,cid ḿ,x ḿ,α ḿ} are obtained.In the BiGISIS.PAKE scheme, the shared session key is computed with In addition to the eavesdropping information, Ă needs some values ({id ḿ,ψ ḿ,ψ ś }) to determine the shared session key.Since , the computation of these values depends on the static/ephemeral secret key components and id ḿ.These values cannot be obtained as the algorithm that can solve the BiGISIS problem in polynomial time is not known even in quantum computers.Since Ă does not obtain sk ḿś = sk ś ḿ, Ă's success in G 1 does not change.It is expressed in Eq. ( 6).

Pr[S G
G 2 : In G 2 , an active attack is modeled by using the hash function, send, reveal, and execute queries.It is mainly based on simulating hash functions and examining their collision properties.In this attack, Ă sends modified messages to parties that cannot be detected without {x * ḿ,x T ś } and {α ḿ,α ś } collisions.Let's examine Ă's success in G 2 .
• Ă queries oracles H 0 and H 1 to find {α ḿ,α ś } collision.H 2 oracle is not examined in this game since the parameters of H 2 are in the flow of the scheme and can be obtained by execute queries.Let q H 0 and q H 1 be the number of hash function queries, d H 0 = 2 l and d H 1 = q nm be the output space dimension of H 0 and H 1 , respectively.By considering the birthday paradox, the probability of the collisions of hash functions is maximum • Ă also makes send and execute queries to find {x * ḿ,x T ś } collision.In the normal flow, these parameters are calculated with {r ḿ,r T ś ,f ḿ,f T ś } selected from χ, depending on the BiGISIS distribution.Let the output space dimension of the χ be d χ , and the number of execute and send queries are q execute and q send .By considering the birthday paradox, the probability of the collisions of {x * ḿ,x T ś } is maximum (q send +q execute ) 2 2d χ .
• Ă can obtain the session key (sk ś ḿ = H 0 (id ḿ,cid ḿ,x ḿ,ψ ḿ,α ḿ,x T ś ,ψ ś ,α ś ) = sk ḿś ) by using reveal query.In this case, Ă uses these components to examine whether the parties can obtain static and temporary secret keys.Let's assume that Ă impersonates the mobile user and obtains the shared key.Ă must also know the correct password (PW ḿ) and the correct static/temporary public keys (x ḿ, p ḿ) and authentication components (id ḿ,s ḿ) to bypass the authentication control.The probability of obtaining PW ḿ is determined as 1 d pw d id since Ă should capture the correct ID and PW values, where d pw and d id be the dimension of the passwords and ID's dictionaries, respectively.The correct computation probability of public keys is 2Adv BiGISIS m×1 q since the static and temporary ones can be obtained only by solving the DBiGISIS problem.So, the maximum probability of capturing shared key is 2Adv BiGISIS m×1 q .So, the difference of G 2 from G 1 is given by Eq. ( 7).
G 3 : Unlike G 2 , this game models Ă's manipulation of the ḿ's mobile device with the Corrupt-ḿ( ḿi ) query.This attack assumes that Ă has taken over the device in various ways.Therefore, Ă can access sensitive information and use this information for authentication.
In G 3 , Ă obtains {pid m ,d ḿ} with the Corrupt-ḿ( ḿi ) query.Then, he/she tries to guess ḿ's identity (ID) and password with the send query.With each send query, the possible user ID-password pair is eliminated.Let's examine Ă's success in G 3 .
Let the number of send queries be q send and the dimension of the passwords and ID's dictionaries be d pw and d id , respectively.With the Corrupt-ḿ( ḿi ) query, the success probability of Ă in G 3 is given by Eq. ( 8).
G 4 : Unlike G 3 , Ă gets the internal user role.With the use of this role, G 4 is modeled to make an SLA attack for ś.Finally, Ă makes the send query to obtain the static secret key of ś.Let's examine Ă's success in G 4 .
In the BiGISIS.PAKE, the shared key is generated without sending additional signals, with the MSB reconciliation mechanism, defined in Definition 2, based on parameter limits.As expressed in the Fig. 2, no signal is sent for ḿ or ś .Therefore, SLA cannot be made by using public keys {x ḿ,p m }.The success probability of Ă in G 4 is given by Eq. ( 9).
Note 1 Note that it was stated that if a BiGISIS problem-based key-sharing idea uses a reconciliation solution without sending additional information, SLA cannot be applicable to the constructed scheme.For detailed security proofs, we refer to Bindel, Stebila & Veitch (2021), Qin et al. (2022).G 5 : Unlike G 4 , Ă gains an ability to make the Corrupt-ś (ś j ) query.With this query, Ă gets the static secret key of ś (s T ś ) from the secure database of the user in ś .If the success probability of Ă is negligible in G 5 , the concept of PFS is captured (Dabra, Bala & Kumari, 2020).In summary, Ă aims to generate the previously shared session keys using the parameters obtained by the Corrupt-ś (ś j ), thereby breaking PFS.Let's examine Ă's success in G 5 .
In this game, the main purpose of Ă is to break PFS by calculating the shared session key sk ḿś = sk ś ḿ given in Fig. 2. Ă can capture various parameters in the following ways.
G 6 : Assume that Ă tried and failed every possible way to break the BiGISIS.PAKE scheme's security in G 0 ,...,G 5 .Ă does the test query and tries to guess procured b.In G 6 , the CDF-Zipf model is also considered to characterize the password distribution.So, the main difference of G 6 from G 5 is re-valuated with Eq. ( 11) by considering CDF-Zipf assumptions.

Security proofs
In the game-based security analysis of the proposed PAKE, resistance analysis against; eavesdropping (G 1 ), hash functions simulation (G 2 ), MBA (G 3 ), SLA (G 4 ), and PFS (G 5 ) attacks are discussed.Let's examine some security-related concepts.
• Integrity: In the proposed PAKE, authentication checks are done with the help of the controls defined in steps 27 and 40.If these steps (α ḿ ?= α ḿ where α ḿ = H 0 (id ḿ,s ḿ,cid ḿ,x ḿ,ψ ḿ,x T ś ,ψ ś ,α ś ) and α ś ?= H 0 (x ḿ,x T ś ,ψ ś )) are satisfied correctly, then ś and ḿ will be valid.The components examined in authentication include all messages exchanged between the two parties and are generated with a secure hash function (H 0 ).Thus, the protocol satisfies the integrity and authentication of the message.
• Offline PDA: Let Ă captures the mobile device at the registration stage and obtains ) ⊕ H 0 (id ḿ,pw ḿ) and v ḿ = H 0 (id ḿ,pw ḿ,d ḿ) given in Fig. 1.In this case, even if Ă guesses pw ḿ correctly, Ă cannot complete the registration phase without id ḿ.Overall, it is resistant to offline dictionary attacks.
• KKS: In the constructed PAKE, shared key is computed with sk ś ḿ = H 0 (id ḿ,cid ḿ,x ḿ,ψ ḿ,α ḿ,x T ś ,ψ ś ,α ś ).Each component varies depending on the session and unique parties.In addition, the reusable key feature is provided.So, the attacker cannot obtain information about previous or subsequent sessions and KKS is provided.

COMPARISON
The parameters are chosen based on Ding, Cheng & Qin (2022) and the reconciliation's upper limit.The calculation model of Islam & Basu (2021) is used to obtain the running

Notes.
For example, BiGISIS.PAKE needs 3 H 0 and 1 H 1 hash function for ḿ during in registration.χ : Represents the parameters selected from the discrete gaussian distribution.Sig, Mod 2 , and MSB represent the number of reconciliation functions.
x represents the number of multiplications needed in the step.
time comparison results of Ding, Cheng & Qin (2022) and the BiGISIS.PAKE schemes.In Ding, Cheng & Qin (2022), Sony Xperia XP with Qualcomm MSM8996 1.5 GHz CPU and 3 GB RAM was used for ḿ.For ś, the experiments are based on two 32-core computers with 3 GHz Intel Xeon E5-2620 CPUs and 64GB RAM.For n = 512, the approximate average run times of main computations are presented in Table 1 and are determined with 10,000 times running results.
To determine approximate average times of ḿ and ś , the main components of each phase are defined in Table 2.
By using Table 1 and Table 2, the running times of the proposed scheme are presented in Table 3 by giving phase-wise results.
To make a comparison, the running times of Ding, Cheng & Qin (2022) phases are also determined by using the same calculation method.Note that in the current literature, two four-phase PAKE have been proposed with similar design ideas.Since Dabra, Bala & Kumari (2020) was proven to be vulnerable to SLA in Ding, Cheng & Qin (2022), we only performed the comparison with Ding, Cheng & Qin (2022).Let's explain how the calculations in Table 3 were made for the BiGISIS scheme.In Table 3, the BiP components are the main reason for high running times for the BiGISIS.PAKE.The other fundamental factors that cause differences are visualized in Fig. 4 and summarized in Table 4.
With Fig. 4, the main differences of similar lattice-based PAKE schemes are detailed with a component-base comparison in terms of reconciliation method, hard problem, key generation idea, and SLA resistance solutions.This analysis answers the question of how similar literature PAKE schemes are differentiated from each other.According to Table 4, the proposed BiGISIS.PAKE different from the other PAKEs due to the hard problem, reconciliation structure, and the method for SLA resistance.Even if the BiGISIS.PAKE has much more arithmetic operations and running time due to the BiP method used for SLA resistance and MSB reconciliation function; it does not require any signal information to obtain the shared key.In Dabra, Bala & Kumari (2020), Ding, Cheng & Qin, (2022) and Kumar et al. (2023) the Ding reconciliation method, defined with Cha() and Mod 2 () functions, was added as a solution of reconciliation problem.In this approach, the idea of sending additional information about the key component was used to generate the shared key.In Bindel, Stebila & Veitch (2021), Qin et al. (2022), it was stated that schemes that utilize additional information-based reconciliation will be vulnerable against SLA.Therefore, due to the selected structures, BiGISIS.PAKE is the first lattice-based PAKE resistant to SLA attacks with the anonymity and reusable key in the literature.

CONCLUSION
In this article, a novel lattice-based PAKE scheme, BiGISIS.PAKE, based on the hardness assumption of the BiGISIS problem, is proposed.The anonymity is guaranteed by the one-way property of the hash functions and the inability to obtain static secret keys during the login&password-based mutual authentication phase.BiP approach is added to get the reusable key feature to reduce key generation time.The security analysis of the four-phase BiGISIS.PAKE is performed in the RoR model to show the resistance against eavesdropping, SLA, hash function simulation, and MBA.With the help of additional queries, it is shown that it provides PFS and integrity features.The robustness analysis of the proposed PAKE against impersonation, MitM, KKS, and offline PDA is also presented.Even if the required running time is high due to the reusable key, the public key, generated once, can be used more than once.To the best of our knowledge, the proposed PAKE is the first lattice-based PAKE that satisfies anonymity and reusable key with SLA resistance.

Table 1 The BiGISIS.PAKE approximate average run times in milliseconds (ms).
q.

Table 2
Comparison components.

Table 4 Comparison of four-phase lattice-based PAKE protocols. Hard problem Number of party Number of arithmetic operation − Number of flow* of hash Reconciliation bound Reconciliation components Reusable key Used method for SLA resistance
Subtraction; −−,No computation; − , Number of arithmetic operations used in key component calculation; ROM, Random Oracle Model) + : According to Bindel, Stebila & Veitch (2021) and Qin et al. (2022), because of the used reconciliation, SLA is possible.